Security Bulletin: Vulnerabilities in node.js affect Cloud Pak Sytem [CVE-2023-28154, CVE-2022-46175, CVE-2022-3517]

Summary

Vulnerabilities in react-scripts node.js modules affect Cloud Pak System. Cloud Pak System has addressed those vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-28154
**DESCRIPTION:**Webpack could allow a remote attacker to bypass security restrictions, caused by the mishandling of the magic comment feature by the ImportParserPlugin.js. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain access to the real global object.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249874 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2022-46175
**DESCRIPTION:**JSON5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the parse method. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242965 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H)

CVEID:CVE-2022-3517
**DESCRIPTION:**minimatch is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the braceExpand function. By sending specially-crafted regex arguments, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

For unsupported version of the product IBM recommends upgrading to a fixed, supported version of the product.

This security bulletin applies to Cloud Pak System, Cloud Pak System Software, Cloud Pak System Software Suite.

For IBM Cloud Pak System V2.3.0.1, V2.3.1.0, V.2.3.2.0, V2.3.3.0, V2.3.3.3, V2.3.3.3 iFix 1, V2.3.3.4, V2.3.3.5 for Intel

upgrade to IBM Cloud Pak System V2.3.3.6, then apply Cloud Pak System V2.3.3.6 Interim Fix 1

Information on upgrading to Cloud Pak System v.2.3.3.6 at <https://www.ibm.com/support/pages/node/6959035&gt;

For Cloud Pak System V2.3.3.6 for Intel

apply Cloud Pak System V2.3.3.6 Interim Fix 1.

Information on upgrading to Cloud Pak System v.2.3.3.6 Interim Fix at <https://www.ibm.com/support/pages/node/7017280&gt;

For Cloud Pak System V2.3.1.1, V2.3.2.0, for Power
Upgrade to Cloud Pak System v2.3.3.7 and apply V2.3.3.7 Interim Fix 01 at IBM Fix Central.
information on upgrading here <https://www.ibm.com/support/pages/node/6982511&gt;

For Cloud Pak System V2.3.3.7 for Power
Apply Cloud Pak System V2.3.3.7 Interim Fix 01 at IBM Fix Central.

information on upgrading available at <http://www.ibm.com/support/docview.wss?uid=ibm10887959&gt;

Workarounds and Mitigations

None